Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

https://snyk.io/vuln/npm:ms:20170412 possible fix #90

Closed
Delagen opened this issue May 16, 2017 · 6 comments
Closed

https://snyk.io/vuln/npm:ms:20170412 possible fix #90

Delagen opened this issue May 16, 2017 · 6 comments

Comments

@Delagen
Copy link

Delagen commented May 16, 2017

May split to 2 regular matchers

var testScale=/^milliseconds?|msecs?|ms|seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|years?|yrs?|y$/i;
function parse(str) {
  str = String(str);
  if (str.length > 10000) {
    return;
  }
  var match = /^((?:\d+)?\.?\d+)\s*(\w*)$/i.exec(
    str
  );
  if (!match) {
    return;
  }
  if(match[2] && !testScale.test(match[2])){
    return;
  }

with test

describe("CWE-400", function (){
  it('should break if longer than 50ms', function() {
    this.timeout(50);
    ms('1'.repeat(9998) + 'Q');
  });
});
@Delagen Delagen mentioned this issue May 16, 2017
Merged
@leo
Copy link
Contributor

leo commented May 16, 2017
edited

Fixed in #89

@leo leo closed this as completed May 16, 2017
@Delagen
Copy link
Author

Delagen commented May 16, 2017
edited 

for (var i = 0; i < 1000; i++) {
ms("1".repeat(98) + "Q");
}

time: 72.148ms
Split regex implementation time: 8.242ms

@Delagen
Copy link
Author

Delagen commented May 16, 2017

Moreover this may be faster

var scales = {
	"years":        y,
	"year":         y,
	"yrs":          y,
	"yr":           y,
	"y":            y,
	"days":         d,
	"day":          d,
	"d":            d,
	"hours":        h,
	"hour":         h,
	"hrs":          h,
	"hr":           h,
	"h":            h,
	"minutes":      m,
	"minute":       m,
	"mins":         m,
	"min":          m,
	"m":            m,
	"seconds":      s,
	"second":       s,
	"secs":         s,
	"sec":          s,
	"s":            s,
	"milliseconds": 1,
	"millisecond":  1,
	"msecs":        1,
	"msec":         1,
	"ms":           1
};
function parse(str) {
	str = String(str);
	var match = str.split(/\s*?(?=[a-z])/i);
	var n = parseFloat(+match[0]);
	if (isNaN(n)) {
		return;
	}
	var scale = (match.slice(1).join("") || "ms").toLowerCase();
	if (!(scale in scales)) {
		return;
	}
	return n * scales[scale];
}

@leo leo reopened this May 17, 2017
@Delagen
Copy link
Author

Delagen commented May 17, 2017

I can open Mr, i have 1 more optimization with remove slice, join

@Delagen
Copy link
Author

Delagen commented May 17, 2017

Opened PR #91

@leerob
Copy link
Member

leerob commented Mar 2, 2021

Closing as stale 🙏

@leerob leerob closed this as completed Mar 2, 2021
@RobertMickleCx RobertMickleCx mentioned this issue Mar 7, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Delagen @leo @leerob